Self-Encrypting Drives (SED): What You Need to Know

July 1, 2015

Why are Self-Encrypting Drives Required?

Hard-drives/SSDs used in a company or data center will be returned for repair, warranty, expired lease, or just abandoned after its useful life. Plus drives may get lost or stolen. These drives are not just hardware boxes, they may contain valuable data that can be recovered.

Self-encrypting drives can be used to encrypt all information as it is stored on the drive so that data is not exposed to third-party in a legible form, whether the drive is returned for repair or lost or discarded. A separate hardware ASIC is used within the drive to encrypt/decrypt data, and the process is transparent to users and storage operations.

How do Companies Dispose their Drives?

Companies may overwrite their drives with unintelligible data (time-consuming), physically shred their drives (difficult, environmental hazard), hire professional disposal services (expensive), or just keep them forever in warehouses (chances of getting lost). Instead, if they use self-encrypting drives, they don’t have to worry about data loss after disposal.

How does SED (Self-Encrypting Drive) technology work?

There are two modes of operation for Self-Encrypting Drives. In one mode, data is encrypted as it is written and decrypted when read. For a user during normal operation, SED drive works like any other drive. But during retirement, user sends a command which encrypts the data and deletes the encryption key or replaces it with a dummy one. This makes it impossible to make any sense out of the stored data, especially when strong encryption techniques like AES-128 & AES-256 are used.

In the second mode, there is an encryption key stored in the drive that remains constant and encrypts all incoming data. There is an additional authentication key which is required to decrypt and present the stored information to the user (read). When this drive is removed from the system, it may automatically get locked down and data will remain encrypted (hence safe) inside. The drive will require the authentication key once it is inserted back, otherwise it will not decrypt — present any data.

What are the Advantages of Self-Encrypting Drives?

SED drive manufacturers claim there is no performance impact due to encryption as a separate ASIC embedded into the drive takes care of the process. In contrast, software-based encryption technologies may have considerable impact on the system resources.

Also, everything stored is encrypted. This is better than selective encryption of only sensitive data which cannot be accurate. Encryption is transparent to other storage operations like compression, deduplication, etc. and hence storage efficiency is not affected.

The encryption key is stored for the long-term within the drive and is itself encrypted by the authentication key. There is nothing stored in clear text within the drive. The company only needs to manage/rotate authentication keys frequently (for security purpose) which can be done using software programs without having to re-encrypt all the data every time.

And of course, if the drive is returned, replaced, stolen, or lost the data at rest within the self-encrypting drive is safe and is not exposed to anyone.